How do I demonstrate that .NET class Random is not suitable for generating passwords?

Question

Very often I see .NET class Random being used for passwords generation.

On one hand, this question I asked earlier shows that generating a bunch of "secret" data using class Random yields rather predictable data. On the other hand, I'm currently trying to perform that exact prediction and my code works at speed of about six million seed guesses per day on a single core - not extremely fast, it will take almost a year to enumerate all possible seed values at that rate.

Is there a clearer and faster way to show that passwords generated using data from class Random() are much weaker than typically expected?

Answer 1

Let me put it this way: Pick a random number generator that is adequate for the number of passwords you want to generate. With an alphabet size of 36 (digits and only uppercase or only lowercase letters) you extract only a small fraction of the internal state of the RNG. And even if you generate 40000 characters that way, that's still only about 21 bits of information. Your algorithm in the other question only generates 4 random characters in addition to the prefix. It would be easier for an attacker to brute-force all possible passwords instead of brute-forcing the RNG state in order to figure out the next password to be generated.

Actually, the worst mistake you can do when using a simple RNG to generate passwords is to generate a large number of them. If you only generate them on demand and always with a freshly-seeded RNG, an attacker will have a hard time figuring out the seed and thus the password. The default implementation of System.Random takes the time passed since system start in milliseconds as seed. Good luck figuring that out.